SECURITYWEEK reports that more than 20,000 users installed malicious Chrome extensions designed to provide a backdoor, steal information, or inject ads, in a coordinated campaign published under five accounts: GameGen, InterAlt, SideGames, Rodeo Games, and Yana Project. The firm Socket identified 108 extensions across various product categories, with about half designed to harvest Google accounts via OAuth2 and 45 carrying a universal backdoor that opens arbitrary URLs when the browser starts, according to Socket.
The extensions also included ones to exfiltrate Telegram sessions, inject ads on YouTube and TikTok pages, and proxy translation requests through an attacker‑controlled server, all while mimicking legitimate functionality to avoid suspicion.
The Telegram Multi-account extension can steal the active Telegram Web session and overwrite local storage to take over the account, while Web Client for Telegram – Teleside can steal sessions and has a backdoor in the background script, allowing payloads to be activated directly. The 54 extensions that steal Google accounts use an OAuth2 Bearer token to fetch data locally and send only a permanent identity record to the attackers, according to Socket, and the campaign’s backdoor persists across browser restarts. SecurityWeek notes that the extensions were not immediately removed from the Chrome Web Store.